LACP-SG: Lightweight Authentication Protocol for Smart Grids

Smart grid (SG) recently acquired considerable attention due to their utilization in sustaining demand response management in power systems. Smart meters (SMs) deployed in SG systems collect and transmit data to the server. Since all communications between SM and the server occur through a public communication channel, the transmitted data are exposed to adversary attacks. Therefore, security and privacy are essential requirements in the SG system for ensuring reliable communication. Additionally, an AuthentiCation (AC) protocol designed for secure communication should be lightweight so it can be applied in a resource-constrained environment. In this article, we devise a lightweight AC protocol for SG named LACP-SG. LACP-SG employs the hash function, “Esch256”, and “authenticated encryption” to accomplish the AC phase. The proposed LACP-SG assures secure data exchange between SM and server by validating the authenticity of SM. For encrypted communication, LACP-SG enables SM and the server to establish a session key (SEK). We use the random oracle model to substantiate the security of the established SEK. Moreover, we ascertain that LACP-SG is guarded against different security vulnerabilities through Scyther-based security validation and informal security analysis. Furthermore, comparing LACP-SG with other related AC protocols demonstrates that LACP-SG is less resource-intensive while rendering better security characteristics.


Introduction
The Industrial Internet of Things (IIoTs) promises to elevate many communication paradigm innovations, focusing on industrial applications. Particularly, IIoT-based smart grid (SG) technology is envisioned to be a vital part of the next-generation power grid system. An SG mainly comprises four elements: sensing, control, actuation, and communication systems. The sensing and communication processes are performed by smart meters (SMs), which are the significant components of an SG, while service providers perform actuation and communication (SPs) [1].
The rapid utilization of SMs has recently been witnessed in smart homes under the SG environment to observe energy utilization in real time. To this end, the SMs communicate with SP on public communication channels. The communication between SMs and SP mandates security and privacy, as the channel used for this communication is prone to various security risks. For instance, an adversary can modify, eavesdrop, and disrupt the communication with consequent degradation in the performance of the SG system [2]. These concerns necessitate the designing of a secure, lightweight, and robust authentication (AC) protocol to guarantee information communication among the honest participants in the SG system while preserving the privacy of the entities.

Security Requirements in SG Systems
An SM transmits electricity usage information periodically to SP via the public internet. Therefore, the following security requirements are imperative for the smooth working of the SG system [3,4].

Security
Firstly, the SG system contains a large number of SMs. Thus, an SP must check the authenticity of the SM before commencing the information exchange process. It is worth noticing that, by authentication, the authenticity of the deployed SMs in the SG system can be verified. Therefore, the authentication protocol should be able to resist various security attacks, such as denial-of-service (DoS), SM capture, ephemeral secret leakage (EPSL), device impersonation (DIMP), man-in-the-middle (MIDM), de-synchronization (DeS), privilege-insider (PrI), replay, and SP impersonation (SPI) attacks [5]. After accomplishing the authentication process, SM and SP need to create a common session key (SEK) to protect the communicated information. Secondly, the authentication protocol needs to guarantee the authenticity of the SM and SP, verify the data's integrity, and ensure non-repudiation. Thirdly, by capturing an SM by an adversary, the procured sensitive information from the memory of the captured SM should not breach the security of the communication between other SMs and SP [6,7].

Efficiency
In general, an SP has sufficient computational resources and can process a specific volume of information. However, many SMs communicate with SP concurrently in the SG system, requiring significant computational resources. Moreover, SMs are resource-limited devices with limited computational, communication, and energy resources. Thus, it is imperative to devise a resource-efficient authentication protocol that requires the least computational resources of SP and SM during the authentication process [4,8].

Related Work
Security and privacy are the critical parameters of concern for the SG systems. Various security schemes have been proposed to cope with the security challenges in the SG system [9,10]. Li et al. [4] proposed an AC mechanism, which is in-efficacious in thwarting replay, MIDM, and EPSL attacks. In addition, the proposed scheme is incapable of rendering MA and anonymity features. Kumar et al. [11] proposed an AC mechanism for the SG environment employing elliptic curve cryptography (ECC) and SHA. However, the scheme of Kumar et al. is incapable of restraining MIDM device impersonation. DIMP and EPSL attacks are unable to ensure mutual authentication (MA) and the security of SEK. An authentication protocol for the SG environment is presented in [12], using PUF and SHA. Similarly, a secure communication protocol for the SG environment is presented in [13], which is unable to withstand DoS and EPSL attacks. An ECC, XOR, and SHAbased lightweight AC protocol for the SG environment is presented in [14], which cannot withstand various security attacks. An authentication and SEK establishment scheme is propounded in [15], utilizing ECC, XOR, and SHA. The authors in [16] propounded a reliable AC protocol using ECC for the SG infrastructure that can hinder different security threats. In this paper, we propose a physical unclonable function (PUF)-based AC mechanism for the SG system. Li et al. [4] devised a pairing-based message AC protocol for the SG environment, unable to withstand the MIDM, DoS, EPSL, and impersonation attacks and incapable of providing security for SEK. Chen et al. [3] propounded a BP-based AC protocol for SG environments, incapable of resisting EPSL and impersonation attacks and incapable of ensuring the security of SEK. The security framework proposed in [17] cannot resist the DeS attack. An AE-based security framework is presented in [18], and its security is proved through the AVISPA. A detailed summary of various AC protocols or schemes propounded for the SG environment is presented in Table 1.

AC/AKE Protocol Shortcomings/Security Vulnerabilities
Wu et al. [19] Unable to thwart MIDM and EPSL attacks. Incapable of rendering anonymity and PFS features.
Dariush et al. [21] In-efficacious in resisting DoS attack. Incapable of rendering SM's anonymity and SEK security.
Banerjee et al. [22] Unable to render identity protection and traceability.
Wazid et al. [23] Exposed to DeS attack. Incapable of rendering revocability and formal validation.
Xie et al. [25] In-efficacious in resisting replay and impersonation attacks. Incapable of rendering forward secrecy.

LACP-SG
Specialized hardware is required to accomplish the PUF-based AC process. In the future, we will use the AEAD schemes for designing the blockchain-enabled authentication frameworks.

Motivation
Most of the AC protocols in the existing literature are devised using standardized symmetric encryption, such as AES, and public-key cryptography, such as ECC. These standardized cryptographic primitives are computationally expensive for resource-limited devices [14,26]. Moreover, most AC protocols are susceptible to various security risks, including DeS, replay, impersonation attacks, etc., as summarized in Section 2. Therefore, it is imperative to devise a secure and lightweight AC protocol for the SG systems.
Various AEAD schemes are devised to enable encryption and decryption services in resource-limited IoT devices. The main features of AEAD schemes are given to clarify why adopting the LWC primitives is essential when devising an AC protocol. This property of AEAD schemes makes them efficacious in reducing the encryption/decryption operations required to perform the AC process. (i) LWC-based AEAD schemes achieve message authenticity, integrity, and confidentiality simultaneously with a single encryption/decryption operation. (ii) AEAD schemes demand less computational and energy resources with reduced message overhead. (iii) The LWC-based hash function (Esch256) demands fewer computational resources than the existing hash functions while proffering the same security level. Figure 1 presents the high-level working of an AEAD scheme, which is the base mechanism of the proposed AC protocol. Here, the AEAD scheme at the source node accepts the key along with associative data (AD), initialization vector/nonce, and plaintext as inputs to return output in the form of ciphertext (CT) and authentication parameters (AP). Moreover, the source generates a message with credentials {AD, CT, AP} and sends this message to the destination to accomplish MA. In the proposed protocol, AD comprises the temporary identity of the source node, i.e., AD = {temporary identity, IP header, etc.}. SP uses the temporary identity to find the record associated with the source from its memory. CT is obtained after encrypting the random numbers and other parameters used in the construction of SEK. At the destination, decryption is performed by using the AEAD scheme. The AEAD scheme generates the PT and AP d after taking the same input parameters as taken at the source node. To authenticate the validity of the obtained message, the destination node checks the condition AP = AP d . If it holds, the received message is valid. We adopt the same methodology to propose a secure and lightweight AC protocol for the SG environment.

Research Contributions
The paper comprises the subsequent contributions.

1.
This paper proffers a new lightweight AC protocol for SGs, called LACP-SG, which utilizes "Counter Mode Encryption with authentication Tag" (COMET) [27] along with a lightweight hash function "Esch256". LACP-SG enables SP to check the authenticity of SM installed in the SG system before commencing the information exchange process. In addition, LACP-SG enables both the SM and SP to generate a shared SEK for future indecipherable communications.

2.
The random oracle model (ROM) is utilized to corroborate the security of the established shared SEK. Moreover, security analysis utilizing the Scyther tool is executed to demonstrate that LACP-SG is resilient against MIDM, DeS, and replay attacks. Informal security is performed to illustrate that LACP-SG is resistant to SM capture and impersonation attacks. Moreover, LACP-SG allows the sensitive credentials associated with SM to be stored in ciphertext form in the database of SP, thereby restraining the PrI attack.

3.
The meticulous comparative analysis is conducted to illustrate that LACP-SG renders enhanced security features while requiring low communication, storage, and computational overheads, respectively, than the related eminent AC protocols.
The subsequent paper is formed as follows. The system models, such as the network and attack model for LACP-SG, are illustrated in Section 3. Section 4 explicates the preliminary knowledge used in designing LACP-SG. The propounded LACP-SG is explicated in Section 5. The resiliency of LACP-SG against various attacks is furnished in Section 6. The significance of the LACP-SG is studied in Section 7. The paper concludes with concluding statements in Section 8.

Network Model
For the authentication process, we contemplate the SG network model as depicted in Figure 2, which constitutes registration authority (RA), smart meter (SM i |i = 1, 2, · · · , n), where "n" symbolizes the installed SMs and (SP k |k = 1, 2, · · · , N), where "N" symbolizes the number of SPs installed by RA. RA is liable for the registration of SP k . SP k stores the data or information sent by SM i . SP k pre-loads the confidential credentials into SM i s memory before its deployment in the SG environment. SM i collects the sensitive information and transmits the accumulated information to SP k via an openly available wireless channel, which is imperiled by different security vulnerabilities. Thus, ensuring the transmitted information's integrity and confidentiality is inevitable. In the subsequent sections, the propounded secure AC protocol is elaborated, which validates the authenticity of the deployed SM i . For encrypted communications, it sets up a secret key between SP k and SM i .

Smart Meter
Service Provider

Threat Model
We are considering the broadly utilized Dolev-Yao (DY) model for the proposed LACP-SG for the SG system [16,28]. The adversary A is able to alter and remove the content of the captured message. Furthermore, after updating the content of the captured message with malicious code, A can generate a malicious message. Network entities such as SM i can be physically compromised by A. Moreover, A can obtain sensitive data loaded in the memory of SM i . In addition to this, A can use the procured information to carry out various attacks. In addition, SP k is contemplated as the trusted entity of the SG system. As in the DY model, in the CK-adversary model, A can not only intercept communications in the SG environment, but the secret parameters, such as session keys and state and private keys, can also be compromised by A.

Esch256
We use the hash function "Esch256" in designing LACP-SG, which is faster than SHA-160/256 and requires fewer computational resources. In addition, Esch256 renders the same functionality as provided by SHA-160/256 with an output size of 256 bits. Moreover, Esch256 renders enhanced security features.

Physical Unclonable Function
(PUF) is a one-way function. PUF produces a unique output (response) after taking the challenge as the input parameter. The operation of PUF can be represented as R = PUF(CH).

Fuzzy Extractor
(FE) comprises two algorithms, namely, Generator Gen(·) and Reproducer Rep(·). The probabilistic algorithm Gen(·) produces key K SM i and Helper Data (HD) by taking bio-metric R of user, i.e., (K SM i , HD) = Gen(R). Rep(·) is a deterministic algorithm that reproduce K SM by considering the inputs R and HD, if the condition HM(R, R ) ≤ et holds, where HM is the hamming distance between R and R and et is the error tolerance.

The Proposed LACP-SG Protocol
The proposed LACP-SG protocol comprises four phases: (1) SM deployment phase; (2) SP Deployment Phase; (3) AC Phase; and (4) New SM Deployment. The subsequent subsections explain the details of the designed LACP-SG protocol. It is assumed that all the participants in the SG environment are time-synchronized to cope with replay attacks. Table 2 lists the notations utilized in devising LACP-SG.  Signifies FE based key production, helper data, and key re-production function, respectively Signifies attacker/adversary, concatenation, hash-function, and XOR, respectively Adv, I NT − CTXT "Advantage of A and ciphertext integrity" Online pseudo-random permutation chosen-plaintext attack"

SP Deployment Phase
The SP deployment phase is accomplished by RA to deploy SP k . For this, RA picks a unique identity ID SP k and computes the secret key for the SP k deployed in SG environment as K SP k = H(K RA ID SP k ), where K RA is the private key of RA. In addition, RA stores the list of credentials {ID SP k , K SP k } in the temper-resistance database of SP k . RA also stores the credentials {ID SP k , K SP k } in its own database.

SM Deployment Phase
SM i deployment phase (SDP) is executed by RA. RA stores the secret credentials before SM i deployment in the SG environment by performing the trailing necessary steps.

5.2.1.
Step SDP-1 SM i picks a real identity ID SM i of size 128 bits and a random number RN r of size 128 bits. SM i fabricates a message with parameters {ID SM i , RN r } and sends it to RA through a secure channel. RA picks a challenge parameter CH SM i and computes temporary identity . In addition to this, RA computes U = H(ID SM i ) and determines SID i = (U 1 ⊕ U 2 ), where U 1 and U 2 are derived by splitting U into two same-sized chunks, each with the size of 128 bits. RA sends the credentials {CH SM i , TID SM i } to SM i via the secure channel.

5.2.2.
Step SDP-2 After receiving the parameters {CH SM i , TID SM i } from RA, SM i generates a response by using PUF function as R i = PUF(CH SM i ). In addition, SM i by using FE computes (K SM i , HD) = Gen(R i ) and sends K SM i to SP k through a protected channel. Finally, SM i keeps the credentials {TID SM i , CH SM i , RN r , HD} in its own memory.

AC Phase
In AC phase (ACP), SM i achieves MA with SP k . Moreover, SM i establishes a secret SEK with SP k to achieve encrypted communication. The trailing steps provide a detailed explanation of the AC phase.

5.3.1.
Step ACP-1 SM i retrieves CH SM i from its memory, stored in the SM i memory during its deployment phase and computes R i = PUF(CH SM i ). SM i regenerates K SM i by using FE as K SM i = Rep(R i , HD), where the size of K SM i is 128 bits. In addition, SM i selects the current timestamps TS 1 with size 32 bits, the random number RN 1 with size 128 bits, and computes A = H(TS 1 RN r ) and nonce N 1 = A 1 ⊕ A 2 , where A 1 and A 2 are procured by splitting A into two same-sized chunks, each with the size of 128 bits. In addition, SM i computes the associative data AD 1 = X 1 ⊕ X 2 , where X 1 and X 2 are two equal parts of TID SM i . The size of N 1 and AD 1 is 128 bits. SM i by using COMET computes (CT 1 , , and RN 1 denote ciphertext, authentication parameter (Tag), and plaintext, respectively. Finally, SM i constructs a message M 1 : {TS 1 , TID SM i , CT 1 , AP tag1 } and sends M 1 to SP k through a public communication channel.

5.3.2.
Step ACP-2 Upon procuring M 1 form SM i , SP k checks the condition T dly ≥ |T mrc − TS 1 | to validate the M 1 freshness, where T dly is the allowed time delay, T mr is the M 1 received time, and TS 1 designates the M 1 generation time. If the condition holds, SP k considers M 1 as the authentic message and proceeds with the AC process. Otherwise, SP k discards M 1 and obstructs the AC process. SP k determines the common parameter CP SP k as CP SP k = H(ID SP k K SP k ). Moreover, SP k retrieves ID SM i and RN SM i by computing TID SM i ⊕ CP SP k = (ID SM i RN SM i ), where TID SM i is received with M 1 and CP SP k is computed at SP k . Additionally, SP k picks the retrieved ID SM i and computes Q = H(ID SM i ) and SID i = Q 1 ⊕ Q 2 , where Q 1 and Q 2 are two chunks of Q each of 128 bits. In addition, SP k checks if SID i is located in its database (memory). If SID i is found, SP k retrieves the credential {B i } corresponding to SID i , stored in the database (memory) of SP k . In addition to this, SP k computes CP SP k ⊕ B i = (RN r K SM i ). Additionally, SP k determines AA = H(TS 1 RN r ) and nonce N 2 = AA 1 ⊕ AA 2 , where AA 1 and AA 2 are procured by splitting AA into two same-sized chunks, each with the size of 128 bits. Furthermore, SM i computes AD 2 = X a 1 ⊕ X a 2 , where X a 1 and X a 2 are two equal parts of TID SM i . Finally, SP k by using COMET computes (RN 1 , AP tag2 ) = D K SM i {(N 2 , AD 2 ), CT 1 }, where AD 2 , N 2 , CT 1 , AP tag2 , and RN 1 denote associative data, nonce, ciphertext, authentication parameter (Tag), and plaintext, respectively. To validate the authenticity of M 1 , SP k checks the condition AP tag1 = AP tag2 . If it holds, SP k considers M 1 as the authentic message, which is received from a valid SM i . Otherwise, SP k discards M 1 and aborts the AC process.

Step ACP-3
After substantiating the authenticity of M 1 , SP k picks timestamp TS 2 , RN 2 , RN n SM i , and computes the new temporary identity TID new , which is used in the encryption process. For encrypted communication in future, SP k computes SEK as ). In addition to this, by using COMET, SP k computes (CT 2 , AP tag3 CT 2 , AP tag3 , and PT 1 denote associative data, nonce, ciphertext, authentication parameter, and plaintext, respectively. Finally, SP k contrives a message M 2 : {TS 2 , CT 2 , AP tag3 } and dispatches M 2 to SM i via an open/wireless channel.

5.3.4.
Step ACP-4 After acquiring M 2 from SP k , SM i checks the condition T dly ≥ |T mrc − TS 2 | to validate the freshness of in its own memory. Figure 3 summarizes the LACP-SG AC phase. HD), picks TS 1 , RN 1 , and computes , AA 1 and AA 2 are derived from AA, computes AD 2 = X a 1 ⊕ X a 2 , where X a 1 and X a 2 are derived from TID SM i , and checks SK v1 = SK v2 , if holds, both SK SM i and SK SP k are equal. Otherwise, it terminates the AC process.

New SM Deployment Phase
RA performs the subsequent steps to deploy a new SM n i .

. Anonymity and Untraceability
Assume A eavesdrops the communicated messages, such as M 1 : {TS 1 , TID SM i , CT 1 , AP tag1 } and M 2 : {TS 2 , CT 2 , AP tag3 }, which are exchanged during the AC phase of the proposed LACP-SG. A cannot determine the real identity of SM of SP, which are ID SM i and ID SP k , respectively, from the captured M 1 and M 2 . A by capturing M 1 and M 2 cannot procure the real identities of SM and SP.

Replay Attack
A after expropriating all the messages, such as M 1 : {TS 1 , TID SM i , CT 1 , AP tag1 } and M 2 : {TS 2 , CT 2 , AP tag3 } tries to regenerate the captured messages to obtain helpful information from the participants of the AC phase. However, we assume the system is time-synchronized, and each message bears the newest timestamp and random numbers. A cannot frame the replay attack because the entities SM i and SP k verify the newness/oldness of the obtained message by confirming the condition T dly ≥ |T mrc − TS 1 | and T dly ≥ |T mrc − TS 2 |, respectively. If the obtained transmission is delayed, the entity of the receiving will dump the obtained message. In this way, the proposed LACP-SG detects the replayed messages and discards such received messages. Hence, LACP-SG is protected against replay attacks.

DeS Attack
The proposed LACP-SG renders resistance against DeS attack. For anonymous communication, SM i uses TID SM i , which is updated by SP k during the accomplishment of every new AC session. SP k constructs TID SM i by concatenating ID SM i and a fresh random number RN SM i , i.e., (ID SM i RN SM i ) ⊕ CP SP k , where ID SM i remains constant and RN SM i is updated to RN n SM i . Suppose A drops M 2 during the execution of the AC phase. This action of A cannot affect the execution of the new AC session because ID SM i is constant, which is extracted by SP k to compute the SID i . SID i is used to find the record at SP k related to SM i . So, LACP-SG is capable of resisting the DeS attack.

Privilege Insider Attack
To accomplish the authentication phase in the proposed LACP-SG scheme, SP k stores the parameters {SID i , B i } in the database. Thus, to fabricate a valid messages, such as M 1 : {TS 1 , TID SM i , CT 1 , AP tag1 } and M 2 : {TS 2 , CT 2 , AP tag3 }, it is imperative for A to compute CP SP k ⊕ B i = (RN r K SM i ). However, without knowing the secret key of SP k , it is hard for A to extract RN r and K SM i , which are required to construct M 1 and M 2 . Hence, LACP-SG can resist the PrI attack.

MIDM Attack
Assume that A expropriates all the exchanged messages M 1 and M 2 between the entities during the AC phase over the wireless/open communication channel. Now, A may attempt to reconstruct the seized messages to make the participants of the system believe that the received messages are generated by licit entities. To simulate a licit message M 1 on behalf of SM i , A requires to have all the confidential/secret credentials of SM i , i.e., {ID SM i , CH i , K SM i }. Similarly, A needs to extricate all the secret/confidential parameters of SP k to construct a valid response message on behalf of SP k . However, without having all the confidential credentials of SM i and SP k , it is impractical for A to construct a valid message. Therefore, LACP-SG can restrain MIDM attacks.

Impersonation/Modification/Injection Attack
To impersonate as SP k , A has to regenerate the message M 2 on behalf of SP k to make SM i believe that the message is licit and obtained from an honest SP k . Now, suppose A attempts to generate M 1 with valid credentials. However, to generate M 2 , A requires knowing the confidential credentials of SP k . However, A cannot produce a valid message M 2 in polynomial time without knowing the secret credentials to emulate as legitimate SP k . Similarly, A requires knowing the confidential credentials of SM i . Therefore, LACP-SG is protected against SM i and SP k impersonation attacks.

Key Compromise Impersonation Attack
In this attack, A tries to impersonate as a valid SM i by compromising the longterm secret key of SP k . However, to construct a valid message M 1 : {TS 1 , TID SM i , CT 1 , AP tag1 }, it is necessary for A to obtain the secret parameters, such as RN r and K SM i . Thus, without having these confidential parameters, it is hard for A to impersonate a valid SM i . Similarly, without having the confidential parameters of SP k , A cannot impersonate a licit SP k . In this way, LACP-SG can resist key compromise impersonation attacks.

Known Session-Specific Temporary Information Leakage/EPSL Attack
According to the CK-adversary model, A can compromise the secret credentials (Long Term Secrets (LTS), Ephemeral Secrets (ES)), and session states aside from all the actions allowed under the DY model. In LACP-SG, the session key is created using both LTS and ES, i.e., . Therefore, it is imperative for A to guess that both LTS and ES construct the session key.

SM Capture/Memory Modification Attack
According to the DY threat model, A can seize some of the SMs from in the SG environment. A can extricate the secret credentials by using a power analysis attack kept in the memory of SM. However, the parameters CH i , RN r , and TID SM i are unlike for all SMs installed in the SG environment. Therefore, by capturing some of the installed SMs, A cannot compromise the security of the whole SG environment. Hence, LACP-SG is resilient against SM capture attacks.

ROM-Based Formal Security Analysis
This section provides a ROM-based analysis of the SEK security between SM i and SP k during the execution of the AC phase of LACP-SG. The subsequent components are described in the ROM model.
Participants: Suppose that Ψ t1 RA , Ψ t2 SM i , and Ψ t3 SP k represent instances t1, t2, and t3 of the participants RA, SM i , and SP k , denoted as oracles.
Accepted state: When an instance Ψ t acquires the last message, it will be in the accepted state. The session identification (Sid) of Ψ t for the current session prescribes the ordered sequence of all exchanged messages (i.e., messages sent/received by Ψ t ).
Partnering: Two instances Ψ t2 and Ψ t2 are partners only if both are in an acceptable state and share similar session keys.
Freshness: A is unable to obtain the SEK established between SM i and SP k by running the Reveal query presented in Table 3.
Adversary: A can fully control and seize all the messages and alter, falsify, and infiltrate messages by employing the queries expressed in Table 3. A can execute the hash function H(.), referred to as random oracle ESHah. Table 3. ROM-based queries.

Query
Purpose Perpetration of this query enables A to seize all the transmitted messages between SM i and SP k .

Send(Ψ t , Msg)
Perpetration of this query enables A to yield an active attack by dispatching a message Msg to Ψ t2 and Ψ t1 also respond to Msg accordingly.

Reveal(Ψ t )
Perpetration of this query enables A to get the shared SEK, utilized to guarantee the secure transmission between Ψ t1 and its interrelated entity.

CorruptSM(Ψ t2 SM i )
Perpetration of this query helps A to acquire the secret/private parameters loaded in the storage of SM i by operating PA attack.

Test(Ψ t )
Perpetration of this query enables A to ascertain whether the guessed SEK is licit or random output, just like the outcome of a flipped coin, say C.
Theorem 1. Let A run against LACP-SG in pt to derive the established SEK between SM i and SP k during the AC phase. Let H que signify Esch256 queries, |ESHah| designates the range space of Esch256 output, H pu f represents PUF quires, |PUF| designates the range space of PUF output, and Adv OCCA3 COMET,A (que, len, pt) is the advantage in compromising the security of an online AEAD scheme (COMET) (Definition 1). The maximum advantage of A for compromising the security of SEK, established between SM i and SP k , can be described as follows: COMET,A (que, len, pt). (2) Proof. The succeeding five games (GM z |z = 0, 1, 2, 3, 4) are executed to prove Theorem 1.
In addition to this, we characterize the A advantage in compromising the security of SEK by Adv LACP−SG GAM 1 : In GAM 1 , A makes the execute query to effectuate the eavesdrop attack. By effectuating eavesdrop attack during the execution of AC phase, A can intercept all the exchanged messages, such as M 1 : {TS 1 , TID SM i , CT 1 , AP tag1 } and M 2 : {TS 2 , CT 2 , AP tag3 }. A effectuates Test at the end of this game and validates whether the outcome of the Test query is a random number or a real session key, i.e., The session key is produced in the proposed LACP-SG using the LTS and ES. Therefore, to reveal the session key established between SM i and SP k , it is imperative for A to guess both the ES and LTS simultaneously. However, it is impractical for A to procure all the secret parameters by capturing M 1 and M 2 . So, the winning chance of this game for A will not increase by effectuating the eavesdrop attack: GAM 2 : In this game, the aim of A is to deceive an entity to receive a mutated message. A is authorized to make various ESHah queries to check the presence of the hash collisions. All the exchanged messages, such as M 1 : {TS 1 , TID SM i , CT 1 , AP tag1 } and M 2 : {TS 2 , CT 2 , AP tag3 } during the AC phase indirectly include the associative data and nonce, and temporary identities, which are protected by the collision-resistant Esch256 hash function. Therefore, there will be no collision when A performs Send queries. The consequences of the birthday paradox confer GAM 3 : This game is considered a continuation of GAM 2 that simulates PUF queries. According to GAM 2 , it follows that GAM 4 : In this game, A attempts to construct the session key by capturing M 1 and M 2 , which are protected by AEAD scheme. In LACP-SG the session key in constructed as SK SM i (= SK SP k ) = H(TID SM i RN 1 (RN 2 ⊕ ID SM i ) TS 2 TID new SM i ). Therefore, A has to procure RN 1 and RN 2 , which are encrypted using AEAD scheme (COMET). Moreover, the associative data and the initialization vector used in the encryption process are random. In addition, secret keys are required to decrypt CT 1 and CT 2 . It is computationally impractical to perform the decryption process in polynomial time. Due to OCCA3 property (Definition 1), it then follows that COMET,A (que, len, pt).
As all the queries are performed, A executes the Test queries to presume bit C for winning the game. Thus, we obtain From (3) and (4), we obtain From (9), we obtain By using (8) and (10) By utilizing (5), (6), (7) and (12), we obtain

Scyther Based Formal Security Verification
We investigated the formal security of LACP-SG by utilizing the widely adopted validation tools, i.e., Scyther. Scyther is a Python-based software designed to formally analyze the security of the authentication schemes, their security claims, and potential vulnerabilities. Scyther employs the Security Protocol Description Language (SPDL) for describing a devised security scheme and is also utilized to determine the weaknesses of a security scheme by demonstrating any potential threats or risks. In the proposed LACP-SG, two roles are defined, such as SM i and SP k . There are two manually specified claims, such as claim(SM, Secret, SK) and claim(SP, Secret, SK), which are validated by Scyther, as shown in Figure 4. In addition, Scyther also generates the claims, such as claim(SM, Alive), claim(SM, Nisynch), and claim(SM, Niagree), which are validated as demonstrated in Figure 4.

Security Comparison
A comparison of the security properties of LACP-SG and other related AC schemes is demonstrated in Table 5. That of Bera et al. [29] cannot restrain the DeS attack, that of Bera et al. [34] is unprotected against the DeS attack, and that of Mehmood et al. [20] is insecure against the DoS, MIDM, PrI, EPSL, RA attacks and does not provide the SEK security. The scheme of Kumar et al. [11] is against DIMP, MIDM, and EPSL attacks and does not provide SEK security. In addition to this, the scheme of Chaudhry et al. [35] is incapable of resisting EPSL, SIMP, DIMP, device capture, and SEK disclosure attacks. Moreover, Chaudhry et al. [30] provide insecure certificate computation, which causes various attacks, such as device capture and DIMP attacks. However, the proposed LACP-SG is secure and protected against various pernicious attacks, such as MIDM and DeS attacks. Table 5. Security comparison.

Communication Overhead Comparison
For analyzing the communication overhead that occurred during the AC phase, we suppose that the length of the ECC point, identity, hash function output, initialization vector/random number/nonce, and timestamp are 320, 128, 256, 128, and 32 bits, respectively. There are two messages required to accomplish the AC phase of LACP-SG, i.e., M 1 : {TS 1 ,  [35], and Mehmood et al. [20], respectively. The comparison between LACP-SG and the related AC protocol communication overhead is given in Table 6 and Figure 5.

Conclusions
This paper presents an AC protocol called LACP-SG, which enables secure communication in the resource-constrained SG environment. To this end, LACP-SG validates the authenticity of the deployed SM and establishes a SEK between the SM and server to accomplish secure communications. The security of the established SEK is validated through ROM-based analysis. Moreover, through Scyther-based analysis, LACP-SG is found to be secure against MIDM and replay attacks. Informal security analysis reveals that the protocol is protected against de-synchronization and SM capture attacks. Finally, a rigorous comparative analysis shows that LACP-SG renders superior security and requires lower computational, storage, and communication cost than the related AC protocols, thereby advocating the feasibility of LACP-SG for SG applications.